Back to posts
Data Breaches
Compliance
GDPR Compliance

We found a security vulnerability on your website": how should you respond?

Jovan Stevovic
January 27, 2025
6 min read
We found a security vulnerability on your website": how should you respond?

Cybersecurity threats are an ever-present reality. If you’ve received an email from a so-called “security researcher” claiming to have found a vulnerability on your website, you’re not alone. While many of these reports turn out to be minor issues or scams, sometimes they reveal something serious.

When that happens, how you respond can make all the difference.

Let’s break it down step by step so you can navigate this situation with confidence.

Step 1: Don’t panic

When faced with a potential vulnerability, it’s natural to feel overwhelmed. But remember, staying calm and methodical is your best ally.Verify the claim

  • Check the email carefully. Does it provide specifics about the vulnerability?
  • Look for evidence like leaked data or proof of evidence.
  • Be wary of vague claims or requests for payment—these might be scams.

🌟 Pro Tip: Many vulnerabilities can be easily patched. Before reacting, confirm whether this is a real breach or an exaggerated claim.

Step 2: Better safe than sorry

In this case: better safe than sorry is the motto. If there’s any possibility of a breach you should contact the DPO. 📞

Why is this crucial?

  • A DPO is trained to handle breaches. They’ll know what to look for and what steps to take.
  • They’ll guide you on assessing the breach’s severity and whether GDPR or other regulations apply ⏳

🔑 Remember: Quick action is key. If personal data was compromised, GDPR requires you to notify your data protection authority (DPA) within 72 hours. Notifications can also be partial (for example, you don’t need to know the full extent of the breach at the moment of the notification).

Step 3: Assess the damage

Once your DPO is on board, it’s time to dig deeper. 🕵️‍♀️

What should you do?

  1. Check the Logs: Analyze your server and application logs for signs of unauthorized access.
  2. Identify Breached Data: Was personal data affected? If yes, determine the type and scope (e.g., emails, passwords, or financial info).
  3. Understand the Vulnerability: Is it a minor issue or something critical like SQL injection or an unpatched API?

📊 Pro Tip: Tools like intrusion detection systems (IDS) or vulnerability scanners can help you pinpoint the issue.

Step 4: Take immediate action

If a breach is confirmed, your next steps are critical. Here’s what you should focus on:

A. Secure your systems

  • Patch the vulnerability to prevent further access.
  • Change any affected passwords or credentials.
  • Monitor your systems for unusual activity.

🔒 Tip: Ensure regular security audits and pentesting to prevent such incidents in the future.

B. Notify authorities and users

Depending on the details and your local laws (there are different specific rules in each jurisdiction), you may need to notify:

  • The DPA: If personal data is involved, file a breach notification within 72 hours.
  • Affected Users: Inform them promptly, especially if the breach poses significant risks to their rights.

💌 Transparency is key. Clearly communicate what happened, how you’re fixing it, and what users should do (e.g., change passwords).

C. Evaluate the hacker’s intentions

Ethical hackers view vulnerabilities as a source of income. The key difference is how they react to your vulnerabilities.

  • An ethical hacker will point directly to the vulnerability.
  • An unethical hacker will leverage your vulnerability to access certain types of data you store.

Some “ethical hackers” genuinely aim to help improve security. Others view finding vulnerabilities as a source of income. Yet others may use vulnerabilities as leverage for blackmail/ransom demands. Be cautious.

📉 Avoid Paying Ransoms: Paying could lead to more demands or encourage further attacks. Instead, work with cybersecurity professionals to mitigate the situation.

Common pitfalls to avoid

A. Brushing it under the rug

Ignoring a breach can lead to serious consequences, including fines, reputational damage, and loss of customer trust. Have you heard the case of Vaastamo, the Finnish private psychotherapy service? Back in 2020 they got their patients’ database hacked. 3 years later, the Helsinki District Court sentenced the ex-CEO of Vastaamo. He was found guilty of a data protection crime mandated in the GDPR.

B. Thinking you’re too small

Many small businesses think they’re too insignificant to be targeted. That’s a myth. Cyberattacks are often automated, meaning every website is at risk.

C. Skipping documentation

Document every step you take during a breach response. This will be invaluable if regulators investigate or if you need to show customers you acted responsibly.

D. Failing to implement proper logs

Logs are your best friends in the aftermath of a security incident. Yet, many companies fail to set them up or maintain them properly.  Conduct periodic reviews of your logs to ensure they’re capturing the necessary information. This proactive approach can save you valuable time during a breach investigation.

Prevention is the best defence

While breaches can’t always be avoided, strong security practices can minimize risks. Here’s how to protect your business proactively:

  • Regular security audits: Conduct vulnerability scans and penetration testing to identify weak points.
  • Employee training: Human error is a leading cause of breaches. Educate your team on cybersecurity best practices.
  • Incident response plan: Prepare a step-by-step plan for handling breaches. This ensures everyone knows their role in a crisis.
  • Data minimization: Only collect and store the data you need. The less you have, the smaller the target for attackers.

💡 Bonus Tip: Platforms like ChecksME can help you stay GDPR-compliant and build a strong data protection foundation.

Conclusion

Receiving a “vulnerability found” email can be stressful, but it doesn’t have to be a disaster. By staying calm, involving your DPO, and following best practices, you can handle breaches effectively and minimize damage.

Cybersecurity isn’t just about reacting to threats—it’s about being prepared. Every company, no matter its size, is a potential target. But with the right tools and mindset, you can protect your business and build trust with your customers.

Have you ever faced a cybersecurity scare? How did you handle it? Share your experiences in the comments below! 💬👇

Need help figuring it out? We’re here to help! 🙋

Chino.io is the one-stop shop for solving all privacy and security compliance aspects.

As a partner of our clients, we combine regulatory and technical expertise with a modular IT platform that allows digital applications to eliminate compliance risks and save costs and time.

Chino.io makes compliant-by-design innovation happen faster, combining legal know-how and data security technology for innovators.

To learn more, book a call with our experts.

Still have questions?

Talk to an expert